Strong Data Governance Underpin the New Customer Due Diligence Rules

by Matt Kelly on April 6th, 2018

Strong Data Governance Underpin the New Customer Due Diligence Rules

Financial regulators’ new requirements for enhanced customer due diligence (CDD) go into effect on May 11. These rules have been looming for nearly two years, and in theory they build upon pre-existing CDD programs banks and other financial firms have had for years.

In reality, compliance programs still have lots of implementation challenges to ponder. Let’s consider some of them now.

The enhanced CDD rules require banks and other financial firms to verify the beneficial owners of any legal entities that open new accounts with them. That is, when representatives of Shady Shell Company seek to open a new account, the firm must identify all beneficial owners of the company (any person owning 25 percent or more of the business), as well as any controller of the company (any person with “significant responsibility to control, manage or direct” the legal entity.

That’s the objective. To get there, financial firms are supposed to follow FinCEN’s four steps for effective due diligence:

Identify the customer (the person actually opening the account);

Identify the beneficial owner (which may be a different person or a legal entity);

Understand the nature of the customer relationship so you can develop a risk profile;

Use monitoring procedures to identify and report suspicious transactions, and to maintain current, accurate customer information.

The good news is that Customer Identification Programs (CIPs) have been around for years. Adding beneficial owners into the process is what’s new — and while that’s certainly not easy, compliance officers can build new policies and procedures based upon existing CIPs you already have.

And that fact, in turn, gives us some clues about the types of challenges you will need to overcome.

For example, a firm already collects information about customers, and screens them against the government’s watch list for anti-money laundering. Now you will need to collect similar information on a new set of persons (beneficial owners) and run them through the same screening process.

So one risk is that something gets lost in that new, expanded due diligence process. A beneficial owner’s name isn’t collected, or it fails to go through that AML screening. The key to success will really be strong data governance: crafting the correct procedures to gather the data you need and process it the way you should.

Now, yes: the new CDD rules also require written policies for enhanced due diligence, which consequently means training employees so they know what the new requirements are and what they’re supposed to do. Those are (I hate to say it) boxes you need to check to demonstrate compliance.

The bigger question — that will linger long past the May 11 deadline — is how to make your customer due diligence program run effectively. The FinCEN requirements add more steps. So if you rely on manual processes for compliance, you’re increasing your chance of error.

The long-term goal is to integrate these new steps into an automated compliance program that reduces your chance of error. That’s the fixed concept, around which all your thoughts of “How do we make this work?” should orbit.

For example, you might overhaul your account opening procedures. Firms can rely on evidence supplied from customers about beneficial ownership (unless you have reason to doubt them), so you might aim for a consolidated, one-stop procedure of gathering all data at once.

We should also remember that many firms already do gather beneficial owner data, down to 10 percent ownership stakes. Can your systems tie together all that data to your suspicious activity reporting system in an automated way? Or are you laboring through duplicative SAR systems or incomplete data, because somebody, somewhere, neglected to input beneficial owner data correctly?

That’s the challenge for the long haul: not just drafting required procedures, but designing procedures that generate the data you need, in a way that lets you automate CDD compliance as much as possible.

Building a comprehensive structure for your compliance program is essential to effectively and efficiently mitigate risk. And while risks vary from one company to another based on industry, location, and partners – thereby disqualifying any one-size-fits-all compliance program – the underlying structure of a program can, to a reasonable extent, be broken down into a set of components.